Overlapping Wildcard Order Identifiers

Starting this week (Edit: 2018-03-22: This is now active in production) ACME v2 NewOrder requests with overlapping wildcard/non-wildcard identifiers will produce an urn:ietf:params:acme:error:malformed problem response indicating that one of the domain names is redundant with a wildcard domain in the same request. To fix this, the client should submit a revised NewOrder request with the overlapping identifier removed.

We mentioned this briefly in our initial ACME v2 Production Environment & Wildcards announcement post but delays in the implementation meant that we launched without this enforcement in place. Previously acceptable NewOrder requests with overlapping identifiers will be rejected after the enforcement is enabled.

An example of an overlapping NewOrder request is:

  "identifers": [
     { "type": "dns", "value": "*.example.com" },
     { "type": "dns", "value": "www.example.com" }

In the above case the "www.example.com" identifier overlaps with the "*.example.com" identifier and one or the other should be removed.



This change is now active in the production environment.